On Monday, Microsoft stated that Iranian state-sponsored hackers are exploiting the Zerologon Vulnerability in real-world hacking campaigns.
Successful attacks would enable hackers to take over servers which are generally known as domain controllers(DC) that are the heart or centerpieces of several networks. It enables intruders to obtain complete authentication over their targets.
Today in a short tweet Microsoft’s Threat Intelligence Center (MSTIC) stated the observation of the Iranian attacks and Zerologon Vulnerability that have been going on for at least two weeks.
MSTIC associated the attacks with a group of Iranian hackers that the company claims as MERCURY, but who are more popularly known as their nickname of MuddyWatter.
The group is deemed to be a contractor for the Iranian government working under orders from the Islamic Revolutionary Guard Corps, Iran’s primary intelligence, and military service.
As Per the Microsoft’s Digital Defence Report, the group in past has targeted NGOs (non-governmental organizations), intergovernmental organizations, government humanitarian aid, and human rights organizations.
Nevertheless, Microsoft states that the Mercury’s most recent attack included the targeting of Middle Eastern and Asian entities, with a maximum of the attacks being concentrated on organizations in the telecommunications, government (IT services), and oil industry sectors.
The Windows Server Zerologon Vulnerability
Zerologon Vulnerability is a crucial security flaw that allows attackers to access the domain administrator on successful exploitation. This allows them to take control over the whole domain. the exploiter can change any user’s password and perform or execute any command.
Microsoft is rolling out the patch for Zerologon two stages as it can cause some of the affected devices to encounter authentication issues or problems.
On September 29, Microsoft stated, admins should take preventive steps to protect devices against attacks utilizing Zerologon Vulnerability.
The update plan sketched by Microsoft at the time incorporates the following actions:
- UPDATE your Domain Controllers with an update released August 11, 2020, or later.
- FIND which devices are making vulnerable connections by monitoring and observing event logs.
- ADDRESS non-compliant devices making vulnerable connections.
- ENABLE enforcement mode to address CVE-2020-1472 in your environment.
Are you looking for more security updates? Subscribe to our Newsletter for the latest security news and latest cloud hosting news right from the security and research industries. If you have any doubts, queries, or suggestions, please comment below in the comment box.